references/dokploy
1
0
Fork 0
mirror of https://github.com/dokploy/dokploy.git synced 2026-06-13 19:09:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(organization): prevent inviting users with owner role

Browse Source 
- Added validation to prevent users from being invited with the owner role in the organization and user routers.
- Implemented TRPCError responses to ensure proper error handling when attempting to assign the owner role.
This change enhances role management and security within the organization structure.

https://github.com/Dokploy/dokploy/security/advisories/GHSA-fm9p-wmpw-gxjh
This commit is contained in:
Mauricio Siu
2026-05-13 00:42:29 -06:00
parent aff200f84f
commit 67278d8783
2 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/dokploy/server/api/routers/organization.ts
+8
View File
@@ -295,6 +295,14 @@ export const organizationRouter = createTRPCRouter({
});
}
// Owner role is non-delegable — no one can invite as owner
if (input.role === "owner") {
throw new TRPCError({
code: "FORBIDDEN",
message: "Cannot invite a user with the owner role",
});
}
// If assigning a custom role, verify it exists
if (!["owner", "admin", "member"].includes(input.role)) {
const customRole = await db.query.organizationRole.findFirst({
apps/dokploy/server/api/routers/user.ts
+7
View File
@@ -594,6 +594,13 @@ export const userRouter = createTRPCRouter({
});
}
if (input.role === "owner") {
throw new TRPCError({
code: "FORBIDDEN",
message: "Cannot create a user with the owner role",
});
}
return await createOrganizationUserWithCredentials({
organizationId: ctx.session.activeOrganizationId,
email: input.email,